[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXnsuuwZ6reeouV6kuRsf3J6jWNE6rz0vq7Mea1IR6CI":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"vulnerabilities":32,"developer":48,"crawl_stats":38,"alternatives":55,"analysis":56,"fingerprints":202},"wp-force-images-download","WP-Force Images Download","1.9","Nazakat Ali","https:\u002F\u002Fprofiles.wordpress.org\u002Fnazakatali32\u002F","\u003Cp>This is a simple plugin that allows you to force the download of images or pictures such as jpeg, png, etc.\u003Cbr \u002F>\nThis plugin is very useful to those who want to download post attachments or featured images. Just put the template tag in single.php and this plugin automatically generates the download link for every post.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note:\u003C\u002Fstrong> The post must have a featured image because this plugin generates a download link of the attached featured image of every post, if the post(s) have not featured image the download button would not appear.\u003Cbr \u002F>\n\u003Cem>By using shortcode you can set your “custom image link” for each button. You can use multiple shorcodes on single page\u002Fpost.\u003C\u002Fem>\u003C\u002Fp>\n\u003Ch4>NEW FEATURES ADDED\u003C\u002Fh4>\n\u003Col>\n\u003Cli>\n\u003Cp>Now \u003Cstrong>custom CSS class\u003C\u002Fstrong> can be added in shortcode for each button. Example\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>[wpfid class=\"myclass\"]\u003C\u002Fcode>\u003Cbr \u002F>\nThis class can be used to give customized look for each button. To add your custom CSS code\u003Cbr \u002F>\nGoto \u003Ccode>settings >> Wp-Force Images Download\u003C\u002Fcode> page and add your CSS code here and save settings.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Renaming Image file on download when using \u003Cstrong>template tag\u003C\u002Fstrong>\u003Cbr \u002F>\nNow you  can rename iamge file when it is downloaded using template tag.\u003Cbr \u002F>\nNote there are three parameters for \u003Cstrong>template tag\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>First one to change \u003Cstrong>TEXT\u003C\u002Fstrong> that would appear on download button. By Default its \u003Ccode>Download\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Second parameter to change \u003Cstrong>color scheme\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Third parameter is to \u003Cstrong>change name of image\u003C\u002Fstrong> on download.\u003Cbr \u002F>\n\u003Cstrong>How to use it: See example below\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Example(s):\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u003C?php wp_fid(\"Some Text\",\"green\",\"NEW FILE NANME\");?>\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u003C?php wp_fid(\"Some Text\",\"green\",get_the_title());?>\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u003C?php wp_fid(\"Some Text\",\"green\",current_time('timestamp'));?>\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u003C?php wp_fid(\"Some Text\",\"green\",get_the_title().current_time('timestamp'));?>\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>\u003Cstrong>Need Any Help? Post your Question\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Now you can rename images when downloaded.There two ways to rename.\u003C\u002Fp>\n\u003Ch4>1. Using Shortcode\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ccode>[wpfid new_name=\"new-name-of-file\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>You can use variables also like this\n\u003Cul>\n\u003Cli>\u003Ccode>[wpfid new_name=\"%post_id%\"]\u003C\u002Fcode> \u003C\u002Fli>\n\u003Cli>\u003Ccode>[wpfid new_name=\"%filename%_%rand%\"]\u003C\u002Fcode> , etc.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Note :\u003C\u002Fh4>\n\u003Cp>You have to specify name only \u003Cstrong>without file extension\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Have Any Question? Let me know__post your question on support page.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>2. Bulk Rename Images\u003C\u002Fh4>\n\u003Cp>Goto \u003Cstrong>\u003Ccode>settings >> Wp-Force Images Download\u003C\u002Fcode>\u003C\u002Fstrong> page and set your desired combination to rename images. e.g. \u003Ccode>%filename%-%rand%\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Default value:\u003Ccode>none\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Note: These variables will be replaced with their corresponding values.You can use any  combination.e.g. \u003Ccode>%site_name%_%filename%-%post_id%\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>This option will not rename original files. If you set new name in shortcode for individual images, the name in shortcode will be preferred.\u003C\u002Fli>\n\u003Cli>\u003Ccode>%site_name%:\u003C\u002Fcode> Replaced with the site title. \u003Ccode>Goto Settings >> General >> [Site Title]\u003C\u002Fcode> to change this value.\u003C\u002Fli>\n\u003Cli>\u003Ccode>%post_title%:\u003C\u002Fcode> Replaced with the current \u003Cstrong>post title\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ccode>%timestamp%:\u003C\u002Fcode> Replaced with the current time in \u003Cstrong>unix timestamp format\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ccode>%post_id%:\u003C\u002Fcode> Replaced with the current \u003Cstrong>post id\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ccode>%rand%:\u003C\u002Fcode> Replaced with the 5-digit random number between \u003Cstrong>0 to 100000 e.g. 82469\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ccode>%md5%:\u003C\u002Fcode> Replaced with the \u003Cstrong>md5 hash\u003C\u002Fstrong> of orginal filename\u003C\u002Fli>\n\u003Cli>\u003Ccode>%filename%:\u003C\u002Fcode> Replaced with the \u003Cstrong>orginal filename\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Now you can set your own custom download link in shortcode.\u003C\u002Fh4>\n\u003Cp>e.g.\u003Cbr \u002F>\n    [wpfid link=”http:\u002F\u002Flink-to\u002Fyour\u002Fimage.jpg”]\u003C\u002Fp>\n\u003Ch4>HOW TO USE THIS PLUGIN:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>This plugin can be used in two ways:\n\u003Col>\n\u003Cli>by using template tag \u003C\u002Fli>\n\u003Cli>by using shortcode\u003C\u002Fli>\n\u003C\u002Fol>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>1). By Using Template Tag\u003C\u002Fh4>\n\u003Cp>You have to put the template tag in your single.php file of your theme, where you want to appear the download button.\u003C\u002Fp>\n\u003Ch4>There are three ways to use template tag\u003C\u002Fh4>\n\u003Col>\n\u003Cli>\u003Ccode>\u003C?php wp_fid();?>\u003C\u002Fcode> This is simple form with default settings.\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u003C?php wp_fid(\"Some Text\");?>\u003C\u002Fcode> This will allow you to set \u003Cstrong>custom text\u003C\u002Fstrong> to appear on download button. Default is \u003Cem>Download\u003C\u002Fem>\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u003C?php wp_fid(\"Some Text\",\"green\");?>\u003C\u002Fcode> This will allow you to set \u003Cstrong>custom text\u003C\u002Fstrong> along with \u003Cstrong>custom color \u003Ccode>(e.g. pink,green,yellow,purple,#ffcc66,#cccccc,#f80, rgb(255,56,35) etc)\u003C\u002Fcode>\u003C\u002Fstrong>. Default color is \u003Ccode>grey\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u003C?php wp_fid(\"Some Text\",\"green\",\"NEW FILE NANME\");?>\u003C\u002Fcode> This will allow you to set \u003Cstrong>custom text\u003C\u002Fstrong>,\u003Cstrong>custom color\u003C\u002Fstrong>, \u003Cstrong>new name of image when downloaded\u003C\u002Fstrong>.\n\u003Cul>\n\u003Cli>More Examples:\n\u003Cul>\n\u003Cli>\u003Ccode>\u003C?php wp_fid(\"Some Text\",\"green\",\"NEW FILE NANME\");?>\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u003C?php wp_fid(\"Some Text\",\"green\",get_the_title());?>\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u003C?php wp_fid(\"Some Text\",\"green\",current_time('timestamp'));?>\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>\u003C?php wp_fid(\"Some Text\",\"green\",get_the_title().current_time('timestamp'));?>\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cul>\n\u003Cli>Second function allows you to set custom text for download button.e.g.\n \u003C\u002Fli>\n\u003Cli>\n\u003Cp>The default \u003Cstrong>title text\u003C\u002Fstrong> is \u003Cstrong>Download\u003C\u002Fstrong> and \u003Cem>default color\u003C\u002Fem> is \u003Ccode>grey\u003C\u002Fcode>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Note:If Featured Image is not set for post the download button would not appear on page.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>2). By Using Shortcode\u003C\u002Fh4>\n\u003Cp>You have to put shortcode in the post content or page, while writing post.\u003Cbr \u002F>\nThere are five ways to use SHORTCODE.\u003C\u002Fp>\n\u003Col>\n\u003Cli>\u003Ccode>[wpfid]\u003C\u002Fcode> This is simple form with default settings.\u003C\u002Fli>\n\u003Cli>\u003Ccode>[wpfid title=\"some text\"]\u003C\u002Fcode> This will allow you to set custom text to appear on download button. Default is “Download”\u003C\u002Fli>\n\u003Cli>\u003Ccode>[wpfid title=\"some text\" color=\"green\"]\u003C\u002Fcode> This will allow you to set custom text along with custom color. Default color is “grey”\u003C\u002Fli>\n\u003Cli>\u003Ccode>[wpfid title=\"some text\" color=\"green\" link=\"http:\u002F\u002Flink-to\u002Fyour\u002Fimage.jpg\"]\u003C\u002Fcode> This will allow you to set \u003Cem>custom text\u003C\u002Fem>, \u003Cem>custom color\u003C\u002Fem> and \u003Cstrong>custom download link\u003C\u002Fstrong>.\u003Cbr \u002F>\nBy Default \u003Cem>download button\u003C\u002Fem> will download \u003Cstrong>Featured image of the Post or Page\u003C\u002Fstrong> where you have added shortcode , if you have set featured image.\u003C\u002Fli>\n\u003Cli>\u003Ccode>[wpfid title=\"some text\" color=\"green\" link=\"http:\u002F\u002Flink-to\u002Fyour\u002Fimage.jpg\" class=\"my_custom_class\"]\u003C\u002Fcode> This will allow you to set \u003Cem>custom text\u003C\u002Fem>, \u003Cem>custom color\u003C\u002Fem>, \u003Cstrong>custom download link\u003C\u002Fstrong> and \u003Cstrong>custom CSS class\u003C\u002Fstrong>.\u003Cbr \u002F>\nThis class can be used to give customized look for each button. To add your custom CSS code\u003Cbr \u002F>\nGoto \u003Ccode>settings >> Wp-Force Images Download\u003C\u002Fcode> page and add your \u003Cstrong>custom CSS code\u003C\u002Fstrong> here and save settings.\u003C\u002Fli>\n\u003C\u002Fol>\n","A simple plugin that force the download of images or pictures such as jpeg,png etc.",90,9065,98,8,"2025-10-25T19:16:00.000Z","6.8.5","3.0","",[20,21,22,23,24],"featured-imgae-download","force-images-download","generate-download-button","pictures-download-button","templatetag-force-download","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-force-image-download\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-force-images-download.zip",99,1,0,"2025-10-21 20:17:11","2026-03-15T15:16:48.613Z",[33],{"id":34,"url_slug":35,"title":36,"description":37,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":6,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":30,"updated_date":44,"references":45,"days_to_patch":47},"CVE-2025-11809","wp-force-images-download-authenticated-contributor-stored-cross-site-scripting-via-shortcode","WP-Force Images Download \u003C= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode","The WP-Force Images Download plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpfid' shortcode in all versions up to, and including, 1.8. This is due to insufficient input sanitization and output escaping on the 'class' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=1.8","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-10-30 14:15:56",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F07775638-270b-4424-8e2a-3ead1d752c88?source=api-prod",9,{"slug":49,"display_name":7,"profile_url":8,"plugin_count":50,"total_installs":51,"avg_security_score":52,"avg_patch_time_days":47,"trust_score":53,"computed_at":54},"nazakatali32",2,110,100,94,"2026-04-04T15:39:57.375Z",[],{"attackSurface":57,"codeSignals":108,"taintFlows":133,"riskAssessment":196,"analyzedAt":201},{"hooks":58,"ajaxHandlers":100,"restRoutes":101,"shortcodes":102,"cronEvents":107,"entryPointCount":28,"unprotectedCount":29},[59,65,69,73,77,80,82,87,91,93,97],{"type":60,"name":61,"callback":62,"file":63,"line":64},"action","admin_menu","wp_force_images_download_admin_menu_setup","inc.php",15,{"type":66,"name":67,"callback":68,"priority":50,"file":63,"line":11},"filter","plugin_action_links","wp_force_images_download_link",{"type":60,"name":70,"callback":71,"file":63,"line":72},"admin_init","wp_force_images_download_init",145,{"type":60,"name":74,"callback":75,"file":63,"line":76},"admin_notices","wpfid_admin_notice",283,{"type":60,"name":70,"callback":78,"file":63,"line":79},"wpfid_nag_ignore",318,{"type":60,"name":70,"callback":78,"file":63,"line":81},346,{"type":60,"name":70,"callback":83,"priority":84,"file":85,"line":86},"wpfid_nonce_chk",999,"wp_fid.php",68,{"type":60,"name":88,"callback":89,"priority":84,"file":85,"line":90},"wp_enqueue_scripts","wpfid_styles",77,{"type":60,"name":88,"callback":92,"file":85,"line":53},"wpfid_custom_css",{"type":60,"name":94,"callback":95,"file":85,"line":96},"admin_post_nopriv_wpfid_download","wpfid_handle_download",308,{"type":60,"name":98,"callback":95,"file":85,"line":99},"admin_post_wpfid_download",309,[],[],[103],{"tag":104,"callback":105,"file":85,"line":106},"wpfid","wp_fid_short",266,[],{"dangerousFunctions":109,"sqlUsage":110,"outputEscaping":112,"fileOperations":129,"externalRequests":130,"nonceChecks":131,"capabilityChecks":28,"bundledLibraries":132},[],{"prepared":29,"raw":29,"locations":111},[],{"escaped":86,"rawEcho":113,"locations":114},6,[115,119,121,123,125,127],{"file":116,"line":117,"context":118},"fd.php",137,"raw output",{"file":116,"line":120,"context":118},189,{"file":85,"line":122,"context":118},295,{"file":85,"line":124,"context":118},420,{"file":85,"line":126,"context":118},464,{"file":85,"line":128,"context":118},517,7,3,10,[],[134,160,182],{"entryPoint":135,"graph":136,"unsanitizedCount":29,"severity":159},"\u003Cfd> (fd.php:0)",{"nodes":137,"edges":155},[138,143,149,151],{"id":139,"type":140,"label":141,"file":116,"line":142},"n0","source","$_POST (x2)",17,{"id":144,"type":145,"label":146,"file":116,"line":147,"wp_function":148},"n1","sink","header() [Header Injection]",132,"header",{"id":150,"type":140,"label":141,"file":116,"line":142},"n2",{"id":152,"type":145,"label":153,"file":116,"line":117,"wp_function":154},"n3","echo() [XSS]","echo",[156,158],{"from":139,"to":144,"sanitized":157},true,{"from":150,"to":152,"sanitized":157},"low",{"entryPoint":161,"graph":162,"unsanitizedCount":29,"severity":159},"wpfid_handle_download (wp_fid.php:311)",{"nodes":163,"edges":178},[164,167,171,172,174,176],{"id":139,"type":140,"label":165,"file":85,"line":166},"$_POST",315,{"id":144,"type":145,"label":168,"file":85,"line":169,"wp_function":170},"wp_remote_get() [SSRF]",384,"wp_remote_get",{"id":150,"type":140,"label":165,"file":85,"line":166},{"id":152,"type":145,"label":146,"file":85,"line":173,"wp_function":148},502,{"id":175,"type":140,"label":165,"file":85,"line":166},"n4",{"id":177,"type":145,"label":153,"file":85,"line":128,"wp_function":154},"n5",[179,180,181],{"from":139,"to":144,"sanitized":157},{"from":150,"to":152,"sanitized":157},{"from":175,"to":177,"sanitized":157},{"entryPoint":183,"graph":184,"unsanitizedCount":29,"severity":159},"\u003Cwp_fid> (wp_fid.php:0)",{"nodes":185,"edges":192},[186,187,188,189,190,191],{"id":139,"type":140,"label":165,"file":85,"line":166},{"id":144,"type":145,"label":168,"file":85,"line":169,"wp_function":170},{"id":150,"type":140,"label":165,"file":85,"line":166},{"id":152,"type":145,"label":146,"file":85,"line":173,"wp_function":148},{"id":175,"type":140,"label":165,"file":85,"line":166},{"id":177,"type":145,"label":153,"file":85,"line":128,"wp_function":154},[193,194,195],{"from":139,"to":144,"sanitized":157},{"from":150,"to":152,"sanitized":157},{"from":175,"to":177,"sanitized":157},{"summary":197,"deductions":198},"The 'wp-force-images-download' v1.9 plugin exhibits a generally positive security posture based on the static analysis. The plugin effectively utilizes prepared statements for all SQL queries, has a high percentage of properly escaped output, and implements a good number of nonce and capability checks. The limited attack surface, with no unprotected AJAX handlers or REST API routes, is also a strong indicator of good security practices. Taint analysis revealing no unsanitized paths further reinforces this, suggesting a low risk of common injection vulnerabilities.\n\nHowever, the presence of one known medium-severity vulnerability in its history, specifically related to Cross-Site Scripting (XSS), warrants attention. While currently patched, it indicates a past weakness in output neutralization that could potentially re-emerge if code is modified without careful consideration. The plugin also performs file operations and external HTTP requests, which, while not inherently insecure, represent potential vectors for compromise if not handled with extreme care and proper sanitization, though the static analysis did not flag any specific issues here. The plugin's reliance on a single shortcode as its sole entry point is a strength in terms of attack surface, but it's crucial that this shortcode's implementation is robust against any potential input manipulation.\n\nOverall, 'wp-force-images-download' v1.9 appears to be a relatively secure plugin. Its strengths lie in its proactive use of security measures like prepared statements and output escaping, and its small, protected attack surface. The historical medium-severity XSS vulnerability is a cautionary note, emphasizing the need for ongoing vigilance and thorough code reviews for any future updates. The performance of file operations and external requests should be continuously monitored for any subtle vulnerabilities that might arise.",[199],{"reason":200,"points":131},"Historical medium severity XSS vulnerability","2026-03-16T21:17:19.231Z",{"wat":203,"direct":210},{"assetPaths":204,"generatorPatterns":206,"scriptPaths":207,"versionParams":208},[205],"\u002Fwp-content\u002Fplugins\u002Fwp-force-images-download\u002Fstyle.css",[],[],[209],"wp-force-images-download\u002Fstyle.css?ver=",{"cssClasses":211,"htmlComments":213,"htmlAttributes":214,"restEndpoints":220,"jsGlobals":221,"shortcodeOutput":222},[212],"wpfid_button",[],[215,216,217,218,219],"wpfid_image_size_option","wpfid_icon","wpfid_btn_style","new_name_attr","wpfid_field",[],[],[223,105],"[wpfid"]